Strong Customer Authentication

PSD2: Everything you need to know about Strong Customer Authentication (SCA)

Understand what SCA is in practice and its impact on e-commerce in Latin America

A new chapter in a story that will still have many surprises ahead. This is a simple way to understand the current status of Strong Customer Authentication (SCA), the latest guideline announced by the PSD2 in the European payment market.

In order to update the market to a new reality in the payments scenario, PSD2 has among its main objectives to promote competition not only within banks, but also to raise the level of new financial solutions, such as fintechs, with the European system.

In this context, the SCA is launched to support another important pillar contemplated by the PSD2: information security. The new measure is nothing more than a way to regulate and standardize the level of protection that European users will have when making purchases online, regardless of the financial institution responsible for that transaction.

Since it was announced, the measure has become the center of many doubts, as companies have a short time to adjust. The deadline is September 14, 2019. But everything can be simpler than imagined, particularly regarding payments in Latin America, which will not be affected by the change if the flow of the transaction does not at any time pass through the European continent.

In this article, you will find answers to these questions:

  • What is Strong Customer Authentication (SCA) and also the PSD2?
  • How will it impact the European e-commerce market?
  • What are the consequences for the Latin American market?
  • What are the latest global trends for fraud prevention?

What does Strong Customer Authentication really mean?

For the users, verification involving more than one factor is already a commonplace reality for services, accounts or devices and no longer comes as a surprise when accessing an email account, for example.

Now, this same validation process on at least two factors is called Strong Customer Authentication. It will also be extended to online shopping, in order to offer more security and reduce the vulnerability of e-commerce users.

Therefore, from September 14, 2019, online purchases in Europe should consider at least two of these verification steps:

1- Verification based on something you know: this is the model traditionally adopted by e-commerces. The client creates a password to access the register and complete a purchase.

2- Verification based on something you own: in this model, verification is confirmed via a notification sent to an electronic user device such as a smartphone, for example.

3- Verification based on something you are: in the third option, the user uses digital or iris verification to confirm identity during the purchase process.

PSD2 regulation requires that at least two levels of the three options available are utilized. However, the decision of which of them will be adopted and how they will be presented to the user is at the discretion of each company.

Expert’s Analysis

The idea is not to restrict the e-commerce market in Europe nor hinder the user experience. SCA uses the technology in favor of user safety, considering at the same time that companies have the power to analyze what is the best method of combining factors.

Still, at the outset, the process may interfere with cart abandonment rates and seem strange to the general public. On the other hand, as it is a practice that should be adopted by the whole market during the same period, the consumer must become accustomed more quickly to the new reality, since he will encounter a similar process in all stores.

What is worth mentioning in this case is that each brand is free to create a process which is appropriate to its language and target audience. The closer to the institutional communication with which the customer is already accustomed, the greater the chance that the second verification step will not generate mistrust during the purchase, especially soon after the implementation of SCA.


As with any regulation, exemptions also exist for SCA. In this case, the main beneficiaries may be payments which are considered low risk. In the table below, you can confirm the details of each exemption provided in PSD2 for Strong Customer Authentication:

The recommendations for Latin America

Only the e-commerces operating in Europe are affected by PSD2, or in cases where the processing of payments during the purchase are linked in any way to the European continent.

This is not to say that there is no global need for increased security and reduced fraud during digital transactions – quite the contrary. The point is that each market behaves in a specific way, and therefore, each region should be tailored appropriately.

The main fact is that everyone – both company and users – have only to gain from the evolution of security in online shopping. Therefore, the direction that the market is heading tends to be beneficial for both sides, and the bonus for companies operating outside of Europe is not having to worry about an established deadline.

Expert’s Analysis

In summary, the companies which operate in regions other than Europe have nothing to worry about at the moment. The measures do not apply to these cases. Companies that process payments with EBANX, for example, are exempt. This is because in this case, no stage of the flow of payments passes through Europe. The final consumer is not European, but Latin American, so the rule is not applicable in these cases.

This is not to say that using technology to raise the level of transaction security levels in Latin America is not necessary. An advantage of operation in Latin America is summarized in one main point: time.

Inevitably, the market will move towards adopting similar measures in the region after adoption in Europe. The difference is that without the mandatory deadline, companies will benefit from more time for analysis. The behavior of the Latin American public proves them to still be more cautious regarding online transactions when compared to Europeans, who are already more tech-savvy and familiar with different verifications of digital transactions.

Why it matters

For the European market, the deployment of PSD2 with the requirement for the implementation of Strong Customer Authentication signifies a breakthrough in relation to fraud prevention. But that does not mean that other countries are not as concerned about security in transactions. Nor does this mean that the most appropriate process for global e-commerce is to replicate the European model in countries such as Latin America.

Buying behavior and the effects of changes like these can be very different in each region. In Europe, consumers tend to be more mature and secure about buying online. As well, the change will happen in a synchronized way for all players that operate in the region, which reduces distrust in relation to the new process and possibly impacting cart abandonment.

In the case of Latin America, in addition to not being a requirement, and, therefore, not the same market movement to implement the new system prior to September 14, the distrust of new processes during online transactions is much greater. Therefore, replicating the same system as Europe in such a different market could cause alarm and lead to a significant decrease in purchases.

Each region is preparing in its own way to make online shopping safer. Soon, we will have more news about 3DS 2.0, for example, another system developed by the big players of the global payment market which, even without the regulatory nature of PSD2, tends to change how each region acts in relation to new security trends for online shopping authentication. Obviously, the Latin American market should not be oblivious to these global market trends.

In summary, the market is evolving, and changes will occur for everyone. But, if you operate in Latin America, time is your best ally in relation to PSD2, as you will not be obligated to implement new validation steps fulfilling the September 14 deadline. On the other hand, this does not mean that Latin America will not evolve in this direction. On the contrary, the trend is global. Mainly because fraud rates on card-not-present transactions should not be ignored and even the market giants are moving to reduce these risks.

For the Latin American market, this is the best time to learn from the changes that have taken place in Europe, to understand the local behavior of the Latin American public and to be attentive to upcoming market movements.